1. Field of the Invention
The present invention relates to data input/output management scheme for managing data input according to an input request from a program and data output according to an output request from a program, to protect electronic writing data.
2. Description of the Background Art
An unauthorized duplication of a writing protected by a copyright is prohibited by the copyright law. However, there is a possibility for a malicious person to make an unauthorized duplication of a copyright protected writing illegally because there is no technical measure to prevent such an illegal act. For instance, it is technically impossible to present a copying of a part or a whole of writing data such as book, magazine, newspaper, and database, so that there remains a possibility for an illegal unauthorized duplication to be made despite of a regulation by the law.
In a case the writing data are offered electronically by means of media such as a network, floppy disks, CD-ROMs, etc., this problem of an unauthorized duplication is even more serious. Namely, a copying of the writing data offered in papers has significant drawbacks that it is costly and time consuming, a quality of the data can be deteriorated, and it is impossible to present the data in an arbitrary format. In contrast, a copying of the writing data offered electronically is neither costly nor time consuming, and a quality of the data is hardly deteriorated. In addition, in a case of a digital writing data, a presentation or a partial utilization in an arbitrary format is possible. Thus, an unauthorized duplication can be Just as good as the original in a case of the electronically offered writing data.
Despite of this fact, there has been no technical measure to prevent an authorized duplication of the electronically offered writing data conventionally. For instance, in a case of reading the writing data loaded onto a computer, a writing data application program for reading this writing data and presenting it to a user can also output this writing data to an external port, other process or file, etc., by generating an output request. This is because, once the writing data is given to this program, this program has a freedom as to how to handle this writing data, and there is no means for regulating the operation of this program. For this reason, it is possible for this program to transfer the writing data in its electronically offered format.
Such an undesired transfer of the writing data by the writing data application program can be prevented by refusing all the data output requests from a program at the computer, but this simple-minded measure in turn makes it impossible for every program to be operated on that computer to make any data output at all, so that it causes problems in operating programs other than the writing data application program. In addition, a program issues an output request even in a case of displaying the writing data on a medium such as a display, so that the simple-minded refusal of all the data output requests can create another serious problem that it becomes impossible to display the writing data at all.
In general, for any data not necessarily limited to the writing data, there has been no means for realizing a mechanism to permit a reading of that data but prohibit a generation of a duplication of that data or another data based on that data. In the following, a data for which a reading is permitted by a copying is prohibited will be referred to as a protected data.
Now, when such a protected data is given to a program, this program can write this protected data into a file, output this protected data to an external device through a port, or hand this protected data to another program by means of a communication among processes, so that there is a possibility for a duplication of this protected data to be produced.
Such a duplication of the protected data can be prevented by refusing all the output requests from a program, but this simple minded measure causes a problem in that it is going to make any data output impossible from even a program which has not read the protected data. In addition, when all the output requests are refused, an output of the protected data to a medium such as a display which is incapable of making a duplication is also refused, so that the simple-minded refusal of all the data output requests can create another serious problem that it becomes impossible to display the protected data at all.
Thus, conventionally, it has only been possible to provide a uniform access control to the writing data, and a prohibition of the writing data output can only be realized by prohibiting data output for all the data. In addition, it has conventionally been impossible to realize a sophisticated input/output management for the writing data to permit only a reading of the writing data, or to permit only an output of the writing data to a medium such as a display which is incapable of making a duplication.
On the other hand, a conventional computer system has a security mechanism, by which the management of data such as files is carried out according to the rights set up by a system manager. This type of management is suitable for data for which a specific organization or individual who owns this computer system has rights to carry out operations such as reading, updating, and distributing, etc.
However, in a case of dealing with the writing data such as programs, pictures, novels, etc. on the computer system, the organization or individual who owns this computer system often does not have all rights to carry out all operations on the writing data. For instance, there are cases in which a reading or a utilization is permitted but a updating or a re-distribution is prohibited by the author of the writing data.
In a case of handling such a writing data on a usual computer system, there is a possibility for a malicious system manager to rewrite the access rights for the writing data, or to utilize the writing data improperly under by reading and writing under the right given to the system manager.
In order to prevent such an improper act by a system manager, there is a proposition of a concept called "superdistribution" (R. Mori, et al.: The Transactions Of The IEICE, Vol. E73, No. 7, pp. 1133-1146, July 1990) which manages a permission/rejection of a program utilization by a scheme that cannot be interfered even by a system manager. In the "superdistribution" system, a label indicating an author, a utilization/distribution condition, a charging method, etc. is attached to each writing data, and this label cannot be changed by a usual software, so that it is possible to realize the copyright protection for the application programs.
Apart from this "superdistribution", in the OS (Operating System) which is classified as the security level B according to the security level classification for the OS known as "Orange Book" (Department of Defense Trusted Computer System Evaluation Criteria, Department of Defense Standard DoD 5200.28-STD, Library No. S225,711, DoD Computer Security Center, December 1985), it is possible to make a program or user which is permitted to read and write some data to be incapable of handing that data to another program or user which is not permitted to read and write that data, by means of a mechanism called "mandatory protection". By applying this scheme to the writing data, it is also possible to protect a file which contains the data having no program codes.
However, in the conventional writing data management mechanism mentioned above, only programs are subjected to the copyright protection, and there is no mechanism for protecting passive writing data such as pictures, novels, etc. which have no program codes themselves and which are to be utilized by being read into another program.
For instance, even if a copyright label is attached to such a passive writing data for the purpose of protection, it is still possible for a malicious application program which read this passive writing data to manage such a copyright label improperly. Here, an improper management of a copyright label includes a falsification or deletion of a copyright label for the purpose of making a copy of the writing data.
Also, there is a type of writing data which is formed to contain other writing data therein. For instance, in a case of producing a book of paintings by editing images of a plurality of paintings according to a certain theme, there is a need to manage not just a copyright of the produced book of paintings (a secondary writing data) but also a copyright of each original painting (a primary writing data) as well.
Here, in the application program which has a function for producing a book of paintings by editing images of a plurality of paintings as described above, a copyright label to be attached to the secondary writing data should be in conformity with the authors, utilization/distribution conditions, charging methods, etc. of the copyright labels attached to the primary writing data. More specifically, there is a need to attach a copyright label in which all the authors of the primary writing data are included, while only the utilization/distribution conditions commonly permitted in all the primary writing data are permitted, and the charging by each one of the authors will be made properly.
However, when an application program produces such a secondary writing data, there is a possibility for the secondary writing data to be attached with a copyright label which does not respect contents of the copyright labels of the primary writing data, so that there is no guarantee that the application program manages the copyright label in a desired manner as described above in the conventional mechanism.
For this reason, in order to protect the copyright by the conventional mechanism, it is necessary to embed the writing data into the application program in advance, but this scheme has a problem that degrees of freedom in processing as well as a processing speed will be lowered. In addition, it is difficult to modify existing application programs programmed to read the data and operate on the data such that they can also be utilized for carrying out the copyright management, so that there is a need to develop new application programs.
Besides those described above, as a conventional method for protecting the writing data, there is also a method in which a direct reading of the writing data by the application program is not allowed, and the operation with respect to the writing data can be carried out only through the OS. However, in this method, only the processing supported by the OS can be carried out, so that it is impossible to carry out a special processing of the application program. In addition, as the OS is called up in every processing, this method requires a considerable execution time.
On the other hand, in the conventional OS in the security level B, the management by the OS is carried out under the assumption that, when a certain data is given to the application program, data based on that certain data can possibly be written into every file to which data is to be written after that certain data is read by the application. When the writing data management is carried out by such an OS, in the application program which read and write a plurality of writing data one after another, the copyright label of the writing data that had been read up until then at least once will be attached to all the writing data files which are written subsequently, so that there are cases in which the writing data are attached with a totally unrelated copyright label.